A port opens up when there's a service listening on it. In this case, port 80 is usually open if you have a webserver running on the machine. If you're just playing around with nmap, then you can use netcat to listen on port 80 so nmap sees it as open. Of course if you plan on playing with exploits that specifically attack a webserver, you'll need to install the actual webserver to get it working.

In addition to shadow's response, an easy server to put out with a minimum of fuss is to get the XAMP suite from apachedfriends.org.

What I did when first starting was to just drop it on my VM, start it up and start hitting it. Then I started to apply hardening measures until the easy stuff wouldn't work. After that you can search for new vulnerabilities and get creative.

Webgoat is a fun thing to run on an XP system, basically turns it into a vulnerable web server running on Apache I think. Run the exe and boom you have a web server to attack, to close it down, stop the app and you are back to normal.

You can throw IIS on if you want to go more specific with learning Windows based Webservers. It isn't really IIS in WinXP, but it is the Web Services. Very limited version of IIS. Designed mostly for putting up quick and dirty pages or even for testing basic web development.

If he is just playing around with nmap to learn it really doesn't matter what the web server is running. I go with Webgoat because it is designed with flaws. The Win XP webserver is close to IIS but missing a ton of features. The best bet for learning to pen test IIS is to grab an eval copy of Windows 2008 and build a web server on IIS 7. This way he will learn first how to build a Windows web server and then work toward hardening it as he is testing against it. Sadly there are not that many publicly known exploits for IIS 7. Webgoat is a nice quick and dirty web server that requires little setup. Run the exe and boom, server is up, proceed to testing.